PCI Requirement 11.3.4.1 – Additional Requirement for Service Providers Only: If Segmentation is Used, Confirm PCI DSS Scope by Performing Penetration Testing on Segmentation Controls at Least Every Six Months and After Any Changes 

PCI Requirement 11.3.4.1 – Additional Requirement for Service Providers Only: If Segmentation is Used, Confirm PCI DSS Scope by Performing Penetration Testing on Segmentation Controls at Least Every Six Months and After Any Changes 

Segmentation, Scoping, and Penetration Testing

Are you a service provider? Do you use segmentation for the purpose of PCI scope reduction? PCI Requirement 11.3.4.1 outlines new PCI penetration testing requirements and caused confusion among many service providers. PCI Requirement 11.3.4.1 states, “If segmentation is used, confirm PCI DSS scope by performing penetration testing on segmentation controls at least every six months and after any changes to segmentation controls/methods.”

PCI Requirement 11.3.4.1 requires that a penetration test, which validates the scope and effectiveness of segmentation controls, be performed every six months or after any changes to segmentation controls. The purpose of this additional penetration test is to ensure that segmentation controls continue to operate effectively throughout the year. The continual, complete isolation between CDE and non-CDE systems is key to your PCI compliance.

Our approach to compliance with PCI Requirement 11.3.4.1 involves more than simply validating segmentation controls through port scanning activities. The PCI DSS specifies that penetration testing must be performed, meaning that it is not sufficient to only perform something like nmap scans from non-CDE to CDE networks. Additional effort is required in order to meet this requirement for penetration testing, and our team of penetration testers is ready to help.

Video Transcript

There was a new requirement introduced in PCI DSS v3.2, which is PCI Requirement 11.3.4.1. It states that if you are a service provider, you need to validate that your segmentation is in place at least bi-annually, and then after any significant changes to the environment or controls that might affect your segmentation.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *